Re: [oe] [meta-openembedded] [Scarthgap] [PATCH] p7zip 16.02: Fix CVE-2022-47069

Mon, 22 Dec 2025 07:54:05 -0800 

Anuj,

Do you see showstopper issues with this patch? Or did it just fell
through the cracks accidentally?

On 12/11/25 12:33, Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE
LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Vrushti Dabhi <[email protected]>
>
> Upstream Repository: https://sourceforge.net/projects/p7zip/
>
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2022-47069
> Type: Security Fix
> CVE: CVE-2022-47069
> Score: 7.8
>
> Note:
> - Commit [1] updates complete p7zip archive source for v17 and includes 
> changes
> that fixes CVE-2022-47609, adapted fix related changes in current p7zip 
> v16.02.
> - Similar changes via [2] have been integrated into the upstream 7zip package,
> which replaced p7zip 16.02 in OE-Core master.
> For the testing:
> - Verified fix using steps mentioned at [3], trace not observed.
> - Validated against known malicious ZIP samples [3]
>
> References:
> [1] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> [2] https://github.com/ip7z/7zip/commit/f19f813537c7
> [3] https://sourceforge.net/p/p7zip/bugs/241/
> [4] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
>
> Signed-off-by: Vrushti Dabhi <[email protected]>
> ---
>  .../p7zip/files/CVE-2022-47069.patch          | 63 +++++++++++++++++++
>  meta-oe/recipes-extended/p7zip/p7zip_16.02.bb |  1 +
>  2 files changed, 64 insertions(+)
>  create mode 100644 meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
>
> diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch 
> b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
> new file mode 100644
> index 0000000000..586c0e82dc
> --- /dev/null
> +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2022-47069.patch
> @@ -0,0 +1,63 @@
> +From 633f61e2eaf6530cf7e53c702c06de1b7a840fa7 Mon Sep 17 00:00:00 2001
> +From: Vrushti Dabhi <[email protected]>
> +Date: Thu, 27 Nov 2025 01:36:55 -0800
> +Subject: [PATCH] Fix out-of-bounds read in ZIP archive processing
> + (CVE-2022-47069)
> +
> +Add bounds checking and replace unsafe pointer arithmetic with index-based
> +access in FindCd() to prevent out-of-bounds read when processing malformed
> +ZIP archives.
> +
> +Testing:
> +- Verified fix using steps mentioned at [1], trace not observed.
> +- Validated against known malicious ZIP samples [1]
> +- Changes merged in upstream p7zip via [2]
> +
> +CVE: CVE-2022-47069
> +Upstream-Status: Pending
> +
> +References:
> +[1] https://sourceforge.net/p/p7zip/bugs/241/
> +[2] https://github.com/p7zip-project/p7zip/commit/d7a903ff13c2
> +[3] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-47069
> +
> +Signed-off-by: Vrushti Dabhi <[email protected]>
> +---
> + CPP/7zip/Archive/Zip/ZipIn.cpp | 10 ++++++----
> + 1 file changed, 6 insertions(+), 4 deletions(-)
> +
> +diff --git a/CPP/7zip/Archive/Zip/ZipIn.cpp b/CPP/7zip/Archive/Zip/ZipIn.cpp
> +index c71c40f..84213b4 100644
> +--- a/CPP/7zip/Archive/Zip/ZipIn.cpp
> ++++ b/CPP/7zip/Archive/Zip/ZipIn.cpp
> +@@ -1095,11 +1095,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
> +     
> +     if (i >= kEcd64Locator_Size)
> +     {
> +-      const Byte *locatorPtr = buf + i - kEcd64Locator_Size;
> +-      if (Get32(locatorPtr) == NSignature::kEcd64Locator)
> ++      const size_t locatorIndex = i - kEcd64Locator_Size;
> ++      if (Get32(buf + locatorIndex) == NSignature::kEcd64Locator)
> +       {
> +         CLocator locator;
> +-        locator.Parse(locatorPtr + 4);
> ++        locator.Parse(buf + locatorIndex + 4);
> +         if ((cdInfo.ThisDisk == locator.NumDisks - 1 || cdInfo.ThisDisk == 
> 0xFFFF)
> +             && locator.Ecd64Disk < locator.NumDisks)
> +         {
> +@@ -1110,9 +1110,11 @@ HRESULT CInArchive::FindCd(bool checkOffsetMode)
> +           // we try relative backward reading.
> + 
> +           UInt64 absEcd64 = endPos - bufSize + i - (kEcd64Locator_Size + 
> kEcd64_FullSize);
> ++
> ++          if (locatorIndex >= kEcd64_FullSize)
> +           if (checkOffsetMode || absEcd64 == locator.Ecd64Offset)
> +           {
> +-            const Byte *ecd64 = locatorPtr - kEcd64_FullSize;
> ++            const Byte *ecd64 = buf + locatorIndex - kEcd64_FullSize;
> +             if (Get32(ecd64) == NSignature::kEcd64)
> +             {
> +               UInt64 mainEcd64Size = Get64(ecd64 + 4);
> +-- 
> +2.35.6
> +
> diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb 
> b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
> index 31a12fdb04..3ac0ed03cd 100644
> --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
> +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb
> @@ -13,6 +13,7 @@ SRC_URI = 
> "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al
>             file://CVE-2018-5996.patch \
>             file://CVE-2016-9296.patch \
>             file://0001-Fix-two-buffer-overflow-vulnerabilities.patch \
> +           file://CVE-2022-47069.patch \
>             "
>  
>  SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf"
>
> 
>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#122792): 
https://lists.openembedded.org/g/openembedded-devel/message/122792
Mute This Topic: https://lists.openembedded.org/mt/116727783/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Gyorgy Sarvari via lists.openembedded.org
      • ... Anuj Mittal via lists.openembedded.org
        • ... Vrushti Dabhi -X (vdabhi - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
          • ... Anuj Mittal via lists.openembedded.org

Reply via email to